Hunting for deletion events

AnalystGuy · ‎Nov 05 2020

I was reading about a ransomware strain that deletes any folder called "System Volume Information" in an effort to prevent recovery, so I went to setup a hunting query or detection for that event. But I combed through the schema -- and a machine timeline after deleting some folders -- but I don't see a way to detect folder (or file) deletion events. Am I missing something?

Thijs Lecomte · ‎Nov 07 2020

Have you looked into the DeviceFileEvents table?
Now that not all file events are being logged. If needed, you should use Sysmon to complement MDfE.
https://isc.sans.edu/forums/diary/Sysmon+and+File+Deletion/26084/

AnalystGuy · ‎Nov 30 2020

@Thijs Lecomte I've looked through the schema and scoured existing events but can't find anything. While I respect the power of Sysmon, I'm not at an organization with the resources to realistically collect sysmon logs from every endpoint.

Thijs Lecomte · ‎Dec 05 2020

I understand your pain...
I would recommend relying on MDfE solely then.
The EDR capability should be smart enough to detect most attacks

Hunting for deletion events

Hunting for deletion events

Re: Hunting for deletion events

Re: Hunting for deletion events

Re: Hunting for deletion events

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Hunting for deletion events